#!/usr/bin/env ansible-playbook
---
- hosts:
- isp-1.rtr.infra.auro.re
- isp-2.rtr.infra.auro.re
vars:
nftables__vars:
adm_ipv6: 2a09:6840:128::/56
adm_ipv4: 10.128.0.0/16
backbone_ipv6: 2a09:6840:203::/56
backbone_ipv4: 10.203.0.0/16
mgmt_ipv6: 2a09:6840:211::/56
mgmt_ipv4: 10.211.0.0/16
clients_ipv6: 2a09:6841::/48
clients_ipv4: 100.64.0.0/10
nftables__tables:
blacklist:
type: inet
sets:
blacklist_ipv6:
type: ipv6_addr
flags:
- interval
blacklist_ipv4:
type: ipv4_addr
flags:
- interval
chains:
filter:
type: filter
hook: prerouting
priority: "raw - 10"
policy: accept
rules:
- "ip6 saddr @blacklist_ipv6 counter drop"
- "ip saddr @blacklist_ipv4 counter drop"
reverse_path_filter:
type: inet
chains:
filter:
type: filter
hook: prerouting
priority: raw
policy: accept
rules:
- "fib saddr . iif oif missing pkttype unicast drop"
filter:
type: inet
sets:
allowed_clients_ipv6:
type: ipv6_addr
flags:
- interval
allowed_clients_ipv4:
type: ipv4_addr
flags:
- interval
chains:
conntrack:
rules:
- "ct state { established, related } accept"
- "ct state invalid counter drop"
input_backbone:
rules:
- "ip6 nexthdr { ospf, vrrp, icmpv6 } accept"
- "ip protocol { ospf, vrrp, icmp } accept"
- "tcp dport 179 accept"
input_mgmt:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
- "tcp dport 22 accept"
input_other:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
input:
type: filter
hook: input
priority: filter
policy: drop
rules:
- "jump conntrack"
- "iif lo accept"
# FIXME: don't use ifaces
- "ip6 saddr fe80::/10 iifname ens19 goto input_backbone"
- "ip6 saddr vmap { \
$backbone_ipv6: goto input_backbone, \
$mgmt_ipv6: goto input_mgmt, \
$adm_ipv6: goto input_mgmt \
}"
- "ip saddr vmap { \
$backbone_ipv4: goto input_backbone, \
$mgmt_ipv4: goto input_mgmt, \
$adm_ipv4: goto input_mgmt \
}"
- "goto input_other"
forward_clients:
rules:
- "ip6 daddr $clients_ipv6 drop"
- "ip daddr $clients_ipv4 drop"
- "ip6 saddr @allowed_clients_ipv6 accept"
- "ip saddr @allowed_clients_ipv4 accept"
forward:
type: filter
hook: forward
priority: filter
policy: drop
rules:
- "jump conntrack"
- "ip6 saddr $clients_ipv6 goto forward_clients"
- "ip saddr $clients_ipv4 goto forward_clients"
output:
type: filter
hook: output
priority: filter
policy: accept
rules:
- "jump conntrack"
roles:
- nftables
- hosts:
- infra-1.rtr.infra.auro.re
- infra-2.rtr.infra.auro.re
vars:
nftables__vars:
adm_ipv6: 2a09:6840:128::/56
adm_ipv4: 10.128.0.0/16
backbone_ipv6: 2a09:6840:203::/56
backbone_ipv4: 10.203.0.0/16
mgmt_ipv6: 2a09:6840:211::/56
mgmt_ipv4: 10.211.0.0/16
int_ipv6: 2a09:6840:206::/56
int_ipv4: 10.206.0.0/16
local_ipv4:
- 100.64.0.0/10
- 10.0.0.0/8
- 45.66.108.0/22
nftables__tables:
blacklist:
type: inet
sets:
blacklist_ipv6:
type: ipv6_addr
flags:
- interval
blacklist_ipv4:
type: ipv4_addr
flags:
- interval
chains:
filter:
type: filter
hook: prerouting
priority: "raw - 10"
policy: accept
rules:
- "ip6 saddr @blacklist_ipv6 counter drop"
- "ip saddr @blacklist_ipv4 counter drop"
reverse_path_filter:
type: inet
chains:
filter:
type: filter
hook: prerouting
priority: raw
policy: accept
rules:
- "fib saddr . iif oif missing pkttype unicast drop"
filter:
type: inet
chains:
conntrack:
rules:
- "ct state { established, related } accept"
- "ct state invalid counter drop"
input_backbone:
rules:
- "ip6 nexthdr { ospf, vrrp, icmpv6 } accept"
- "ip protocol { ospf, vrrp, icmp } accept"
- "tcp dport 179 accept"
input_mgmt:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
- "tcp dport 22 accept"
input_other:
rules:
- "ip6 nexthdr icmpv6 accept"
- "ip protocol icmp accept"
input:
type: filter
hook: input
priority: filter
policy: drop
rules:
- "jump conntrack"
- "iif lo accept"
# FIXME: don't use ifaces
- "ip6 saddr fe80::/10 iifname ens19 goto input_backbone"
- "ip6 saddr vmap { \
$backbone_ipv6: goto input_backbone, \
$mgmt_ipv6: goto input_mgmt, \
$adm_ipv6: goto input_mgmt \
}"
- "ip saddr vmap { \
$backbone_ipv4: goto input_backbone, \
$mgmt_ipv4: goto input_mgmt, \
$adm_ipv4: goto input_mgmt \
}"
- "goto input_other"
forward:
type: filter
hook: forward
priority: filter
policy: drop
rules:
- "jump conntrack"
- "ip6 saddr $int_ipv6 accept" # FIXME
- "ip saddr $int_ipv4 accept" # FIXME
output:
type: filter
hook: output
priority: filter
policy: accept
rules:
- "jump conntrack"
nat:
type: ip
chains:
postrouting:
type: nat
hook: postrouting
priority: srcnat
policy: accept
rules:
- "ip daddr != $local_ipv4 snat to 10.128.10.4"
roles:
- nftables
...